Warkitting: The Drive-by Subversion of Wireless Home Routers

[Searching_ _ _]

Quote:

Until recently, the perceived risk of wireless routers has centered around unauthorized network and bandwidth use. However, as we illustrate in this paper, the risks are far greater. An open router is a gateway for eavesdropping, redirection to fraudulent websites, and traffic profiling. These capabilities grant the attacker nearly total control over how the network’s clients interact with the Internet.
...
WAPjacking changes the settings of existing firmware to bring some benefit to the attacker. While configurable parameters vary among router models and manufacturers, most routers destined for the home market allow users to select a DNS server, enable administrative access via the Internet, log usage statistics, send usage reports to an email address, and control the traffic routing.

In a WAPkitting attack, external software seizes control from the router’s firmware. While most easily accomplished by exploiting open administrative access, WAPkitting can theoretically proceed by more traditional means such as buffer overflow.
The ability to install arbitrary control software on a wireless router opens unlimited possibilities to an attacker. Once installed, the router has the ability to tell the user one thing while doing another.
Moreover, the hardware reset button on these devices only clears the NVRAM, a small section of the memory that stores the settings registry for factory firmware but not necessarily the malicious firmware. The malicious software can detect NVRAM resets and behave accordingly. Above all, it will never let the user re-flash the firmware, although it may appear to do so.
...
In particular, a WAPkitted wireless router could use race pharming to perform man-in-the-middle attacks on clients that are part of a different, but nearby, wireless network.

Warkitting: The Drive-by Subversion of Wireless Home Routers PDF